Configuring APM Client Side NTLM Authentication
Introduction
There have been a ton of requests on the boards for a simplified client side NTLM configuration, so based on Michael Koyfman’s excellent Leveraging BIG-IP APM for seamless client NTLM...
Published May 12, 2015
Version 1.0
Kevin_Stewart
Employee
EmployeeKevin_StewartEmployee
Employee
Javier_124486
Nimbostratus
NimbostratusHi everyone, -So, after reviewing we will go with pre-check before ntlm. I am interested in the option suggested by Michael above, about reviewing the windows registry, checking if the machine is join to a corporate domain and if so NTLM, else Logon Page. i am going to assume that i will use/install Edge components for this and then "Windows Registry"-Client Side-, "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"."DefaultDomainName"="mydomain".
Now, since i cannot apply from the very beginning Michael's irule (it will enforce NTLm right away) i will need to instruct the variable when it should be triggered ( APM irule Event -ntlmon- right after domain check successful). So, the irule should look like the one below and since the non corporate users will not pass the windows registry they will follow the fallback path to logon page. My first concern is that i've never created an event with APM and i do not know if the device will accept the substitution of http request with "ntlmon"
when ntlmon {
ECA::enable
ECA::select select_ntlm:/Common/NTLM-auth }
So, my question is, is this feasible, does it make sense?. of course i will try on my environment but it will take some time and if somebody tried before and worked perfect i will keep pushing, else, i will appreciate a plain "no".
Again, thank you so much for the info